peafl64 icon indicating copy to clipboard operation
peafl64 copied to clipboard
verified publisher icon Sentinel-One

Hello, I'm having a problem with code mismatch when instrumenting cldflt.sys.

Open AshLQ opened this issue 11 months ago • 3 comments

l didn't quite figure out what caused it. Code alignment, or some section not fixed? this is ida,It's normal. .text_:FFFFF801813673CC 90 nop .text_:FFFFF801813673CD 90 nop .text_:FFFFF801813673CE 90 nop .text_:FFFFF801813673CF 90 nop .text_:FFFFF801813673D0 90 nop .text_:FFFFF801813673D1 90 nop .text_:FFFFF801813673D2 90 nop .text_:FFFFF801813673D3 48 FF 15 7E 10 call cs:PsGetProcessPeb .text_:FFFFF801813673D3 FA FF .text_:FFFFF801813673DA 0F 1F 44 00 00 nop dword ptr [rax+rax+00h] .text_:FFFFF801813673DF 48 85 C0 test rax, rax .text_:FFFFF801813673E2 0F 84 A4 00 00 jz loc_FFFFF8018136748C .text_:FFFFF801813673E2 00 .text_:FFFFF801813673E8 90 nop .text_:FFFFF801813673E9 90 nop .text_:FFFFF801813673EA 90 nop

this is windbg,After PsGetProcessPeb, its code is completely messed up. fffff801813673cc 90 nop fffff801813673cd 90 nop
fffff801813673ce 90 nop fffff801813673cf 90 nop
fffff801813673d0 90 nop fffff801813673d1 90 nop
fffff801813673d2 4c8b157f10faff mov r10, qword ptr [cldflt_instrumented!_imp_PsGetProcessPeb (fffff80181308458)] fffff801813673d9 e8e25dbef1 call nt!PsGetProcessPeb (fffff80172f4d1c0) fffff801813673de 004885 add byte ptr [rax-7Bh], cl ds:002b:0000005172f5af85=?? fffff801813673e1 c00f84 ror byte ptr [rdi], 84h fffff801813673e4 a4 movs byte ptr [rdi], byte ptr [rsi] fffff801813673e5 0000 add byte ptr [rax], al fffff801813673e7 009090909090 add byte ptr [rax-6F6F6F70h], dl fffff801`813673ed 90 nop

AshLQ avatar Jan 16 '25 05:01 AshLQ

Hi,

  1. What exact version of cldflt.sys you're trying to instrument?
  2. What was the full command line you used?
  3. What's the address that was instrumented badly?

Kristal-g avatar Jan 16 '25 08:01 Kristal-g

cldflt.sys version: 10.0.19041.5369 pe_afl.py -n cldflt.sys cldflt.sys.dump.json pe_afl.py -l 6 -nt ntoskrnl.exe cldflt.sys cldflt.sys.dump.json Both of the above commands will have this problem cldflt.instrumented.sys!9B9B9 .text_:000000000009B9B7 58 pop rax .text_:000000000009B9B8 5B pop rbx .text_:000000000009B9B9 48 FF 15 98 CA call cs:PsGetProcessPeb .text_:000000000009B9B9 F8 FF .text_:000000000009B9C0 0F 1F 44 00 00 nop dword ptr [rax+rax+00h] .text_:000000000009B9C5 48 85 C0 test rax, rax

cldflt.sys!599D .text:000000000000599D call cs:PsGetProcessPeb .text:00000000000059A4 nop dword ptr [rax+rax+00h] .text:00000000000059A9 test rax, rax .text:00000000000059AC jz short loc_59E6

It looks fine in ida, but when I run it, I get that problem. This is the only place where there is a problem, because I can run it after manually patching it.

AshLQ avatar Jan 16 '25 09:01 AshLQ

If it looks okay statically but has an issue when running, it's possibly related to a bad relocation entry. I suggest running the script with verbose output and searching for a relocation entry for the address after the PsProcessPeb, where there shouldn't be one. I'm glad that it works for you after patching because I'm not sure I'll be able to work on it in the near term.

Kristal-g avatar Jan 16 '25 10:01 Kristal-g